Subscribe to this blog

Follow by Email

Posts

In this case security office has sent notification, that potentially malicious email that bypassed antimalware protection has to be removed from user's mailboxes. In order to find out who has received the specified email (the sender of the malicious email was provided in the escalation information from the security office), in case of multirole exchange servers, I've checked the message tracking logs using following syntax:

Get-ExchangeServer | Get-MessageTrackingLog -start (Get-date).AddDays(-1) -End (Get-date) -ResultSize unlimited -eventid deliver -Sender "malicioussender@domain.some"
Fortunately, the number of users that have received the specified email message were few. Knowing the affected users, removing the email message from their mailbox can be done using Search-Mailbox cmdlet. For running the Search-Mailbox cmdlet, the user running this cmdlet must be a member of Discovery Management role group.
For example, to search the affected mailbox for the messa…